From f628c6de6b2cbcd8bb75abaafcfd1386ffa00a45 Mon Sep 17 00:00:00 2001 From: jesus-linares Date: Tue, 9 Jul 2024 16:07:26 +0200 Subject: [PATCH] update --- .github/workflows/trivy.yaml | 66 +++++++++++++++++++++++++++++++++--- Dockerfile1 | 13 +++++++ Dockerfile3 | 10 ++++++ 3 files changed, 84 insertions(+), 5 deletions(-) create mode 100644 Dockerfile1 create mode 100644 Dockerfile3 diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index a74dbdd93..9886dd62e 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -12,16 +12,72 @@ jobs: - name: Checkout code uses: actions/checkout@v4 + - name: Build Docker Image 1 (Vulnerable - Ubuntu) + run: | + docker build -t vulnerable-image-ubuntu -f Dockerfile1 . - - name: Run Trivy vulnerability scanner in fs mode + - name: Build Docker Image 3 (Non-vulnerable) + run: | + docker build -t non-vulnerable-image -f Dockerfile3 . + + - name: "Run Trivy vulnerability scanner: image" + uses: aquasecurity/trivy-action@0.23.0 + with: + image-ref: 'vulnerable-image-ubuntu' + scan-type: 'image' + vuln-type: 'os' + format: 'sarif' + output: 'trivy-results-image1.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results-image1.sarif' + category: 'image' + + - name: "Run Trivy vulnerability scanner: image" + uses: aquasecurity/trivy-action@0.23.0 + with: + image-ref: 'non-vulnerable-image' + scan-type: 'image' + vuln-type: 'os' + format: 'sarif' + output: 'trivy-results-image2.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results-image2.sarif' + category: 'image' + + - name: "Run Trivy vulnerability scanner: image" + uses: aquasecurity/trivy-action@0.23.0 + with: + image-ref: 'vulnerable-image-ubuntu' + scan-type: 'image' + scanners: 'vuln,secret' + vuln-type: 'os' + format: 'sarif' + output: 'trivy-results-image1.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results-image1.sarif' + category: 'image' + + - name: "Run Trivy vulnerability scanner: image" uses: aquasecurity/trivy-action@0.23.0 with: - scan-type: 'fs' - scan-ref: '.' + image-ref: 'non-vulnerable-image' + scan-type: 'image' + scanners: 'vuln,secret' + vuln-type: 'os' format: 'sarif' - output: 'trivy-results.sarif' + output: 'trivy-results-image2.sarif' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: 'trivy-results.sarif' + sarif_file: 'trivy-results-image2.sarif' + category: 'image' diff --git a/Dockerfile1 b/Dockerfile1 new file mode 100644 index 000000000..6029ce87c --- /dev/null +++ b/Dockerfile1 @@ -0,0 +1,13 @@ +# Dockerfile 1 (Vulnerable) +FROM ubuntu:18.04 + +RUN apt-get update && \ + apt-get install -y \ + openssl \ + curl + +# Deliberately using an old version of OpenSSL with known vulnerabilities +RUN apt-get install -y openssl=1.1.0g-2ubuntu4.3 + +# Adding a fake AWS secret key +RUN echo "AWS_SECRET_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE" > /root/.aws/credentials \ No newline at end of file diff --git a/Dockerfile3 b/Dockerfile3 new file mode 100644 index 000000000..21da59a1f --- /dev/null +++ b/Dockerfile3 @@ -0,0 +1,10 @@ +# Dockerfile 3 (Non-vulnerable) +FROM ubuntu:20.04 + +RUN apt-get update && \ + apt-get install -y \ + openssl \ + curl + +# Using the latest versions with no known vulnerabilities +RUN apt-get install -y openssl